Episode 75

Posted on Friday, May 22, 2020
In episode 75 we look at security updates for APT, json-c, Bind, the Linux kernel and more, plus Joe and Alex discuss recent phishing attacks and the Wired biopic of Marcus Hutchins.

Show Notes

Overview

In episode 75 we look at security updates for APT, json-c, Bind, the Linux kernel and more, plus Joe and Alex discuss recent phishing attacks and the Wired biopic of Marcus Hutchins.

This week in Ubuntu Security Updates

26 unique CVEs addressed

[USN-4358-1] libexif vulnerabilities [00:44]

  • 2 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
  • Divide by zero and a CPU infinite loop (DoS) for handling crafted exif content

[USN-4359-1] APT vulnerability [01:19]

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
  • Own ar archive handling code
  • Stack buffer OOB read for ar archive members with specially crafted names - tried to handle spaces etc in names but if the name was all spaces would overrun the name and read past the end of it

[USN-4360-1] json-c vulnerability [02:04]

  • 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
  • Integer overflow -> OOB write from a large json file

[USN-4360-2, USN-4360-3] json-c regression [02:27]

  • Affecting Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
  • Upstream fix had a bug where logic for trying to handle integer overflow was inverted and so would cause INT_MAX (2GB) memory to be allocated
  • On machines with a small amount of memory this could exhaust all and trigger OOM killer
  • Part of logic of the package is to trigger a rexec of upstart (which serialises itself via libjson) - so this could cause upstart to consume all memory, get killed to OOM killer and cause fail to boot etc
  • upstart not used as default init on xenial+ and initial update was delayed for ESM so only a small number of users would be affected (those running 16.04 LTS/xenial who had manually configured upstart as init)

[USN-4361-1] Dovecot vulnerabilities [04:13]

  • 3 CVEs addressed in Eoan (19.10), Focal (20.04 LTS)
  • 3 issues discovered by Philippe Antoine
    • UAF sending command is followed by a sufficient number of newlines -> crash
    • Sending with empty quoted localpart or malformed NOOP commands -> crash

[USN-4362-1] DPDK vulnerabilities [04:47]

  • 5 CVEs addressed in Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
  • Data-plane development kit (provides TCP offloading to userspace to accelerate package processing workloads)
  • Used by openvswitch for OpenStack software defined networking
  • Memory leak and file-descriptor leak -> DoS
  • Guest to host crash via a missing check on an address in an io descriptor
  • Failure to validate key lengths
  • Integer overflow on host from guest -> crash

[USN-4367-1] Linux kernel vulnerabilities [05:51]

  • 3 CVEs addressed in Focal (20.04 LTS)
  • 5.4 kernel
  • UAF due to a race-condition in bfq block io scheduler in block subsystem
  • Bug in parsing of mount options for tmpfs -> stack overflow (need root privileges etc to specify mount options)
  • UAF in btrfs when handling a specially crafted file-system image

[USN-4363-1] Linux kernel vulnerabilities [06:42]

  • 4 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS)
  • 4.15 kernel
  • block io scheduler UAF
  • PowerPC specific guest -> host VM crash on save / restore of authority mask registers
  • tmpfs mount option parsing
  • Serial CAN driver did not initialise stack data so could leak stack memory to userspace etc

[USN-4364-1] Linux kernel vulnerabilities [07:30]

[USN-4368-1] Linux kernel vulnerabilities [07:59]

[USN-4365-1] Bind vulnerabilities [08:31]

[USN-4366-1] Exim vulnerability [09:14]

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS), Eoan (19.10), Focal (20.04 LTS)
  • OOB read in Secure Password Authentication (SPA, also known as NTLM) authenticator, could result in SPA/NTLM auth bypass

Goings on in Ubuntu Security Community

Get in contact